ASA Firewall – Packet Classification in Multiple Contexts Mode

By Yusuf Bhaiji

Security Contexts Overview

Firewall OS software version 7.0 introduced the capability of creating virtual partitions within a single physical firewall – also known as security contexts; which provides the function of a virtualized logical firewall within one physical firewall. Each virtualized context is an independent firewall and provides all the capabilities of a regular firewall such as address translations, routing protocols, protocol inspection, ACL, and so on. With the exception of dynamic routing protocols, VPN and Multicast; these features are not supported when using multiple contexts mode.

There are two ways to set up multiple security contexts:

  • Multiple contexts in Routed mode (supports Shared Interface)
  • Multiple contexts in Transparent mode (does not support Shared Interface)

Figure 1 illustrates the basic scenario when using multiple contexts.

Packet Classifier Function

As shown in Figure 1, each packet entering the firewall must determine the correct entry point depending on the destination of the packet. The entry point determines which context the packet will enter and subsequently depart through the firewall towards its final destination.

There are multiple criteria and conditions that need to be checked in order to make this decision. The function that takes this decision within the firewall is called the classifier .

The classifier function uses one of the following three criteria to determine the correct context for the packet:

  1. Unique interface
  2. Unique MAC address
  3. NAT configuration

The following sections will elaborate on each of these criteria.

Classifying Using Unique Interface

This method is the fundamental behavior and default policy used in scenarios where unique interfaces are assigned to each context and no shared interface or overlap occurs. This method is also the default policy when using transparent mode. Transparent mode requires unique interface in each context; it does not support shared interfaces. For transparent firewalls across multiple contexts, you must use unique interfaces.

Classifying Using Unique MAC Address

When using shared interfaces across multiple contexts, the classifier uses the unique MAC address policy to determine the context path. By default, a shared interface(s) does not have a unique MAC address; it uses the default physical burned-in address (BIA).

In order for the classifier to determine the correct context, each shared interface must have a unique MAC address. You can assign a unique MAC address for each interface or use the global command mac-address auto to achieve the same.

Figure 2 illustrates an example of packet classification using unique MAC address when using shared interface across the multiple contexts.

As shown in Figure 2, contexts #1 and #2 are sharing the Gig0/0 interface. In doing so, the MAC address on the shared interface needs to be unique. If a unique MAC address was not configured, the upstream device would have resolved to the built-in MAC address (during the ARP process), and the arriving packet would qualify to enter both contexts.

In order to take the correct path, the unique MAC address helps identify the entry point into Context #2.

Classifying Using NAT Configuration

I n scenarios using shared interfaces "without" unique MAC addresses, the classifier policy uses the NAT configuration matching the final destination address to determine the correct context path. This method is primarily used in places where unique MAC addresses are not used on the shared interface; therefore, the classifier cannot determine the correct entry path into the context. The workaround is to rely on the address translation rules within the contexts.

Figure 3 illustrates an example of packet classification using NAT configuration when using shared interface (without unique MAC address) across the multiple contexts.

As shown in Figure 3, contexts #1 and #2 are sharing Gig0/0 interface but they do not have unique MAC addresses. Both have the default physical BIA "ABCD.1234.ABCD"

In this situation, the ASA classifier will use the NAT translation rules that match the destination address to determine the entry point into Context #2.

As shown in Figure 3, the packet arriving for destination has a corresponding NAT rule that translates to which dictates the classifier to forward the packet through context #2.

Using Shared Interface on the Inside Network

As shown in previous examples, the most common application of using a shared interface across the contexts is on the outside network facing the upstream device. This is common when you have a single exit point out of your network and all contexts must use the same network on the outside segment.

However, in some scenarios, you can also have a shared interface on the inside network segment, but this brings some major restrictions. The classifier will rely on the address translation to determine the context based on the corresponding NAT rule for the destination address (outside NAT rule).

If you are not using address translation and/or NAT-control is disabled, then you must ensure you have unique MAC addresses for the inside shared interfaces across the contexts.

About the author:

Click to closeYusuf Bhaiji, CCIE No. 9305 (R&S and Security), has been with Cisco Systems for seven years and is currently the program manager for Cisco CCIE Security certification and CCIE proctor in the Cisco Dubai Lab. Prior to this, he was technical lead for the Sydney TAC Security and VPN team.

Yusuf's passion for security technologies and solutions has played a dominant role in his 17 years of industry experience, from as far back as his initial master's degree in Computer Science.

Yusuf is an advisory board member of several non-profit organizations for the dissemination of technologies and promotion of indigenous excellence in the field of internetworking through academic and professional activities. Yusuf chairs the Networkers Society of Pakistan (NSP) and IPv6 Forum Pakistan chapter.

In addition to authoring Network Security Technologies and Solutions and CCIE Security Practice Labs, Yusuf has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He is a frequent lecturer and well-known speaker presenting at several conferences and seminars worldwide.

Network Security Technologies and Solutions (CCIE Professional Development Series)

Network Security Technologies and Solutions (CCIE Professional Development Series)
Yusuf Bhaiji
ISBN-10: 1-58705-246-6
Pub Date: 3/20/2008
US SRP $80.00
Publisher: Cisco Press